Bad actors continue to stay one step ahead of cybersecurity specialists when it comes to Android TV boxes running harmful malware. Last year, experts began combatting ‘Badbox’ malware that was discovered infecting over 20-million streaming boxes running an open-source Android platform. Unfortunately, a new variant of the malware has been discovered by researchers at Bitsight, and this one is potentially even more harmful.
“This botnet was presumed dead, after a push to stop its spread. However, not only is it still active, but it also appears to be larger and more versatile than previously anticipated,” said Pedro Falé, Threat Researcher at Bitsight.
While previous versions of Badbox were found to infect open-source Android TV boxes, this new variant can infect Smart TVs. Thankfully, it seems that official Android and Google Smart TVs are unaffected, with this malware only running on Smart TVs running open-source Android software.
“First, the models ranging from YNDX-00091 to YNDX-000102 are 4K Smart TVs from a well-known brand, not cheap Android TV boxes,” Falé explains. It’s the first time a major brand Smart TV is seen directly communicating at such volume with a BADBOX command and control (C2) domain, broadening the scope of affected devices beyond Android TV boxes, tablets, and smartphones.”
As usual, Google has released a statement reiterating that official, Play Protect Android devices are immune to bad actors.
The following was originally published September 19, 2024:
Off-brand ‘Android TV’ boxes continue to be plagued by malware, with a new batch dubbed “Android.Vo1d” found to be infecting over a million devices across nearly 200 countries. Official, Google-approved products these are not, and that’s the main issue. The affected boxes run AOSP (Android Open Source Project), making them easy targets for bad actors.
First reported by Ars Technica, security firm Dr. Web discovered the new malware and its vast scope of infection:
“Doctor Web experts have uncovered yet another case of an Android-based TV box infection. The malware, dubbed Android.Vo1d, has infected nearly 1.3 million devices belonging to users in 197 countries. It is a backdoor that puts its components in the system storage area and, when commanded by attackers, is capable of secretly downloading and installing third-party software.”
Currently, the Android TV box models that are affected are R4, TV BOX , and KJ-SMART4KVIP, running AOSP version 7, 10, or 12. As of yet, researchers have been unable to determine the method used to infect the devices, but are still studying the new crop of malware.
A Google spokesperson has issued the following statement to Ars Technica regarding the matter:
“These off-brand devices discovered to be infected were not Play Protect certified Android devices. If a device isn’t Play Protect certified, Google doesn’t have a record of security and compatibility test results. Play Protect certified Android devices undergo extensive testing to ensure quality and user safety.”
